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Executive  Summary 


Problem: 

HQ  USAF/LGM  representatives  believe  the  current  configuration  and  use  of  CAS-B  as  a  Secret  system 
is  inefficient.  The  additional  requirements  created  by  the  classification  of  the  system  may  be 
unnecessary.  The  system  was  originally  designed  with  the  intention  of  including  data  for  nuclear 
munitions  and  was  consequently  designed  as  a  multi-level  secure  system.  Subsequently,  the  ^<^ision 
was  made  to  not  include  nuclear  munitions  data,  but  the  system  was  still  fielded  as  a  multi-level  system. 
There  is  a  need  to  clarify  what  data  must  actually  be  protected  and  to  find  a  better  way  of  operating. 


Objective(s): 

1.  Determine  what  CAS  data  is  classified.  2.  Document  whether  the  current  system  is  multi-level 
secure.  3.  Develop  more  efficient  options  to  deal  with  classification  requirements. 

Analysis/Results: 

Data  collected  in  this  study  showed  that  only  a  small  fraction  of  the  data  currently  maintam^/t  in  CAS-B 
is  classified.  This  data,  which  is  driving  the  classification  requirements  for  CAS-B,  is  not  accessed  on  a 
regular  basis.  Furthermore,  there  is  question  about  whether  the  data  currently  classified  should  remain 
classified.  HQ  USAF/XOfW  is  willing  to  readdress  the  classification  issue  to  ensure  they  are  only 
protecting  the  visibility  of  WRM  requirements. 

Conclusions: 


1.  Current  guidance  from  XOFW,  LGMW  and  LGX  does  not  agree  concerning  which  data  is  classified. 
Once  XO  makes  the  appropriate  changes  to  reflect  that  the  only  data  they  categorize  as  classified  is 
WRM  requirements,  this  must  be  reflected  in  all  appropriate  guidance. 

2.  CAS-B  proved  to  be  multi-level  secure  in  both  laboratory  and  field  tests.  Testing  done  by  the 
contractor  responsible  for  CAS  security  during  initial  development,  and  by  USAFE  during  the  summer 
of  1996,  showed  no  classified  data  was  compromised  while  operating  the  system  as  a  multi-level  secure 
system. 

3.  MAJCOMs  do  not  use  the  WRM  requirements  data  sent  forward  from  CAS-B.  The  users  at  CAS-B 
do  not  use  it  either;  it  is  dormant  unless  a  change  is  made  to  the  WCDO.  It  does  not  make  sense  to 
include  this  data,  especially  if  it  is  the  driving  force  behind  classification  of  the  system.  If  WRM 
requirements  are  removed  from  CAS-B,  the  entire  system  can  be  operated  in  an  unclassified  mode. 

4.  Since  there  is  no  need  to  maintain  the  classification  of  CAS-B  it  should  be  subsumed  by  the 
Integrated  Maintenance  Data  System  (IMDS).  Resolving  this  issue  now  will  relieve  IMDS  developers 
of  the  burden  of  developing  a  classified  system  to  accommodate  CAS-B  classification  requirements. 

Recommendations: 

1.  As  soon  as  HQ  USAF/XOFW  makes  appropriate  changes  to  guidance,  reflecting  that  only  WRM 
requirements  are  classified,  remove  WRM  requirements  from  CAS-B  and  use  it  as  an  unclassified 
system.  (OPR:  HQ  USAF/XOFW,  HQ  USAF/LGMW) 


2.  Until  guidance  changes,  authorize  the  inunediate  use  of  CAS-B  as  an  MLS,  by  approving  direct 
connection  between  the  mainframe  and  unclassified  terminals  as  demonstrated  in  the  USAFE  test. 
(OPR:  CAS  SPO,  HQ  USAF/LGMW). 

3.  Reconcile  guidance  to  reflect  one  standard  for  munitions  classification  through  a  meeting  of  all  key 
players.  This  meeting  must  include  HQ  USAF/LGMW,  HQ  USAF/XOFW,  HQ  USAF/LGX  and  the 
CAS  SPO.  (OPR:  HQ  USAF/LGMW). 
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CHAPTER  1 


INTRODUCTION 


BACKGROUND 

The  Combat  Ammunition  System  (CAS)  is  the  data  system  used  to  manage  Air  Force 
munitions.  It  contains  inventory  levels,  condition  codes,  base  requirements,  requisition 
information  and  other  critical  data  for  the  management  of  the  Air  Force  ammunition 
inventory.  The  system  is  comprised  of  four  subsystems:  CAS-B  is  the  base  level 
system,  CAS-C  is  the  command-level  system,  CAS-A  is  the  wholesale  level  system, 
and  CAS-D  is  the  deployable  system.  This  report  focuses  only  on  CAS-B. 

The  issue  of  classification  has  been  a  concern  since  the  initial  discussions  of  CAS 
design.  The  munitions  community  originally  intended  to  use  CAS  to  manage  nuclear 
munitions  as  well  as  conventional  munitions.  For  this  reason  they  were  interested  in 
developing  a  Multi-level  Secure  (MLS)  system  capable  of  handling  both  classified  and 
unclassified  data.  Prior  to  the  creation  of  CAS,  all  munitions  data  was  captured  in  the 
Standard  Base  Supply  System  (SBSS).  SBSS  was,  and  is,  an  unclassified  system. 
According  to  a  representative  of  HQ  USAF/XO,  which  is  the  office  for  classification 
authority  for  munitions  data,  the  XO  community  was  never  comfortable  with  all  the 
data  that  was  unprotected  in  SBSS,  but  prior  to  CAS  never  had  an  alternative.  During 
CAS  design,  the  XO  community  stated  they  would  support  the  creation  of  a  separate 
data  system  for  munitions  if  it  meant  certain  data  would  be  classified.  They  saw  the 
development  of  CAS  as  an  opportunity  to  classify  some  munitions  data.  However, 
when  the  munitions  community  decided  not  to  incorporate  data  pertaining  to  nuclear 
munitions,  they  then  had  a  system  which  was  considered  classified  despite  the  fact  that 
it  contained  the  same  data  previously  captured  in  the  unclassified  SBSS. 

Since  its  implementation  in  the  field,  CAS  has  been  used  as  a  Secret  system.  Users  and 
HQ  USAF/LGM  requested  the  AFLMA  examine  the  issue  to  determine  whether  CAS- 
B  contains  data  which  truly  needs  to  be  classified  and  whether  the  system  is  being  used 
in  the  most  efficient  way  possible  under  necessary  classification.  Researching 
justification  for  classification  of  the  system  was  made  more  relevant  by  the  release  of 
Executive  Order  12958  which  reversed  the  traditional  convention  of  defaulting  to  the 
highest  possible  classification  of  data.  This  new  guidance  dictates  that  when  there  is 
doubt  about  whether  something  should  be  classified  it  should  not. 


PROBLEM  STATEMENT 

HQ  USAF /LGM  representatives  believe  the  current  configuration  and  use  of  CAS-B  as 
a  Secret  system  is  inefficient. 
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STUDY  OBJECTIVES 

1)  Determine  what  data  is  classified.  2)  Document  whether  the  current  system  is  multi¬ 
level  secure.  3)  Develop  more  efficient  options  to  deal  with  classification 
requirements. 


CHAPTER  2 


DISCUSSION 


METHODOLOGY 


As  part  of  the  preliminary  analysis,  we  collected  data  to  determine  whether  the 
classification  of  CAS-B  was  actually  a  problem.  Members  of  the  munitions  community 
gave  their  input  through  several  means.  Some  were  interviewed  in  the  field  during  site 
visits,  some  gave  inputs  through  their  MAJCOM  representatives  and  some  gave  direct 
feedback  via  e-mail.  We  also  worked  closely  with  the  CAS  System  Program  Office  (SPO) 
throughout  the  research. 

In  order  to  determine  what  data  drives  the  classification  of  CAS-B,  we  consulted  the 
Munitions  Classification  Guide,  a  HQ  USAF/LGMW  publication,  coordinated  through 
HQ  USAF/XO.  We  gathered  various  correspondence  and  interviewed  personnel  from 
both  these  offices  and  the  SPO.  We  also  reviewed  API  25-101,  published  by  HQ 
USAF/LGX,  covering  the  War  Reserve  Materiel  program,  and  Executive  Order  12958- 
Classified  National  Security  Information. 

Determination  of  the  multi-level  secure  (MLS)  system  status  was  done  through  personal 
interviews  with  members  of  the  CAS  SPO.  The  technical  and  functional  experts  at  the 
SPO  were  able  to  explain  the  background  leading  up  to  the  current  system  configuration 
and  use.  We  also  examined  a  recent  USAFE  test  conducted  to  confirm  that  CAS-B  can 
be  operated  as  an  MLS. 

What  problems  exist? 

When  inputs  fi'om  field  level  users  and  MAJCOM  representatives  were  compiled,  the 
problems  associated  with  CAS-B  classification  ultimately  fell  into  four  categories: 
hardware,  software,  speed  and  accuracy  of  interfaces,  and  future  systems  development. 

Hardware 


The  hardware  issues  pertain  to  inconveniences  created  by  the  requirement  that  every 
terminal  located  outside  the  building  housing  the  mainframe  be  operated  through 
encryption/decryption  hardware.  This  requirement  is  currently  met  with  either  KG-84 
encryption  devices  or  STU-IIIs.  This  requirement  creates  two  problems  for  the  field. 

First,  all  field-level  units  are  restricted  in  their  ability  to  add  or  move  terminals.  This 
restriction  is  created  because  the  encryption  devices  must  be  installed,  and  the  facility  must 
be  approved,  by  communication  technicians.  The  second  burden  is  created  by  the 
requirement  for  encryption  devices  applied  to  units  that  are  using  KG-84s  for  that 


purpose.  KG-84’s  must  be  re-keyed  daily  and,  although  some  units  are  using  over  the  air 
re-keying  (OTAR),  many  still  have  an  individual  physically  re-key  each  shop’s  KG-84s 
each  morning. 

Software 

The  main  software  related  problem  pertains  to  report  production.  Currently,  the  software 
in  CAS  is  set  so  that  any  report  which  contains  data  from  certain  data  sets  is  automatically 
marked  Secret.  There  are  no  logic  tables  which  enable  the  software  to  determine  whether 
there  is  actually  classified  information  in  the  report.  This  software  feature  means  man¬ 
hours  are  spent  declassifying  hundreds  of  pages  of  reports  which  contain  no  classified 

data. 

Speed  and  Accuracy  of  Interfaces 

One  problem  identified  by  the  CAS  SPO  and  CAS-C  representatives  at  the  MAJCOMs  is 
complaints  about  the  speed  and  accuracy  of  transmission  between  CAS  levels.  Under 
current  operation,  all  CAS-B  transmissions  are  considered  classified  which  limits  the  lines 
available  for  any  transmission.  According  to  the  technical  experts  at  the  CAS  SPO,  the 
lines  available  are  limited  in  number,  quality  and  speed  capacity. 

Future  Systems  Development 

A  far-reaching  consideration  of  the  classification  of  CAS-B  is  the  impact  on  the  interface 
with,  and  design  of,  other  logistics  information  systems.  Currently,  users  must  have 
multiple  terminals  in  the  weapons  storage  area  just  to  meet  requirements  for  data  capture. 
The  Core  Automated  Maintenance  System  cannot  be  interfaced  with  CAS-B  because  of 
classification  restrictions.  The  Integrated  Maintenance  Data  System  (IMDS)  is  a  major 
system  in  development  which  will  be  impacted  by  munitions  data  classification.  The 
IMDS  contract  was  recently  awarded  and  the  system  will  eventually  subsume  CAS-B. 
The  functionality  of  CAS  has  been  identified  to  be  incorporated  in  the  3rd  increment  of 
IMDS,  which  is  scheduled  for  1999.  Resolving  the  munitions  classification  issue  will  aid 
in  this  and  other  interfacing  logistics  data  systems  development. 

What  data  is  classified? 

The  classification  of  data  in  CAS  is  spelled  out  in  the  USAF  Munitions  Classification 
Guide.  This  publication  is  the  responsibility  of  HQ  USAF/LGMW,  but  the  actual^ 
classification  authority  is  HQ  USAF/XO.  Reading  the  guide  itself  and  clarifying 
messages  from  XO  was  not  sufficient  for  an  outsider  to  interpret  what  data  was  actually 
intended  for  protection.  A  conversation  with  the  XO  representative  revealed  that  any 
reference  to  a  munition  which  identifies  it  as  a  WRM  asset  is  classified.  In  other 
words,  current  guidance  states  that  just  identifying  a  bomb  as  a  Category  G  (the  primary 
category  code  for  WRM  munitions)  makes  the  data  classified.  This  does  not  make  sense 
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and  was  part  of  the  impetus  for  AFMC  to  hold  the  munitions  classification  meeting  at 
Eglin  to  discuss  this  issue  with  XOFW. 

Munitions  Classification  Meeting 

The  Air  Force  representative  for  the  development  of  the  Ammunitions  Standard  System 
(the  DoD  system  in  development,  intended  to  replace  CAS-A  and  handle  wholesale 
munitions  management  for  the  DoD)  recognized  the  problem  with  the  somewhat 
ambiguous  Air  Force  guidance  and  convened  a  munitions  classification  meeting  from  16- 
18  September  1996  at  Eglin  Air  Force  Base.  This  meeting  was  attended  by  AFMC,  ACC, 
ASC,  HQ  USAF/LGMW,  HQ  USAF/XOFW,  a  member  of  the  AFLMA  research  team, 
and  other  munitions  representatives.  At  the  conclusion  of  the  meeting,  there  was 
consensus  that  protecting  the  identification  of  assets  as  WRM  assets  was  not 
accomplishing  what  XO  intends  to  protect.  XO  considers  any  indication  of  shortfalls  in 
WRM  munitions  Secret,  so  the  information  they  are  trying  to  conceal  is  the  difference 
between  the  on-hand  quantity  and  the  stated  WRM  requirements.  The  XO  representative 
agreed  to  staff  a  change  to  current  policy.  The  new  position  agreed  upon  was  that  only 
WRM  requirements  would  be  classified.  By  protecting  this  piece  of  information,  there 
would  be  no  potential  for  an  intruder  to  the  system  to  determine  whether  a  base  had  a 
shortfall  of  a  particular  weapon. 

Two  specific  classification  issues  were  raised  during  this  meeting.  Some  munitions  have 
uniquely  classified  data  as  identified  by  the  individual  classification  guide  for  those 
munitions.  For  some  missiles,  the  numbers  are  classified,  for  others  their  location  is 
classified.  However,  this  is  a  very  limited  population  (in  USAFE  over  the  past  five  years 
there  has  been  one  such  item),  and  should  not  be  a  driving  force  behind  CAS  classification. 
This  information  can  be  kept  off-line. 

Another  concern  raised  during  the  meeting  was  the  handling  of  classified  data  during 
contingencies.  Some  members  of  the  meeting  were  under  the  impression  that  more  data  is 
classified  during  contingencies.  The  Munitions  Classification  Guide  spells  out  exactly 
what  information  in  CAS  is  classified,  and  this  guide  applies  to  contingency  and  peacetime 
conditions.  If  the  change  is  made  to  make  only  WRM  requirements  classified,  this  change 
will  apply  to  peacetime  and  contingency  operations. 

Some  members  of  the  meeting,  including  HQ  USAF/LGMW  and  HQ  AFMC/  DRW  and 
ASC/WM,  still  believe  there  is  no  need  for  requirements  to  be  classified  because  this 
information  creates  no  discernible  threat  to  the  US.  They  cited  Executive  Order  12958- 
Classified  National  Security  Information  which  says  in  section  1.2  (b)  “If  there  is 
significant  doubt  about  the  need  to  classify  information,  it  shall  not  be  classified.”  They 
also  referred  to  another  section  which  puts  the  burden  of  justifying  classification  on  the 
classifying  authority.  The  same  EO,  section  1.2  (a)(4)  states  one  condition  that  must  be 
met  to  classify  information  is  that  “the  original  classification  authority  determines  that  the 
unauthorized  disclosure  of  the  information  reasonably  could  be  expected  to  result  in 
damage  to  the  national  security  and  the  original  classification  authority  is  able  to  identify 
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or  describe  the  dainage.”  Those  who  are  still  interested  in  challenging  the  classification 
are  not  satisfied  that  the  damage  has  been  identified  or  described.  Since  LGMW  and 
others  are  not  satisfied  with  the  classification  of  WRM  requirements  they  may  continue  to 
challenge  XOFW  as  supported  by  EO  12958,  Section  1.9  (a)  “Authorized  holders  of 
information  who,  in  good  faith,  believe  that  its  classification  status  is  improper  are 
encouraged  and  expected  to  challenge  the  classification  status  of  the  information... 

One  further  complication  in  the  guidance  for  classification  of  CAS  data  is  the  fact  that  the 
guidance  and  responsibility  for  WRM  assets  falls  under  the  domain  of  HQ  USAF/LGX. 

This  means  that  API  25-101  also  dictates  WRM  policy  and  Chapter  2  deals  with  the 
classification  guidance  for  the  WRM  program.  Currently  this  chapter  in  the  AFI  does  not 
match  the  current  guidance  from  XO  because  under  the  guidance  in  2.4.2  there  is  no 
requirement  that  data  be  classified  just  because  an  on-hand  quantity  was  identified  as  a 
WRM  asset.  According  to  current  XO  guidance,  this  is  required.  The  conflicts  in 
guidance  between  the  different  Air  Staff  offices  must  be  resolved  in  order  to  develop  a 
system  which  protects  the  correct  data. 

Is  CAS  a  MLS  system? 

CAS  was  designed  as  a  multi-level  security  computer  system.  The  MLS  features  were 
tested  and  certified  in  1992.  However,  CAS-B  is  essentially  operating  as  a  totally 
classified  system.  This  classified  mode  incorporates  hardware  and  software  setup.  Every 
PC  attached  to  a  mainframe  is  connected  through  encryption  devices,  consisting  of  either 
two  Data  STU  Ill’s  or  two  KG-84  encryption  devices.  Even  terminals  which  have  been 
designated  for  unclassified  use  only  are  fed  data  through  encryption.  This  hardware 
requirement  is  the  cause  of  many  of  the  difficulties  in  the  field.  The  KG-84s  require 
“keying”  to  make  them  operational.  This  means  that  someone  must  physically  go  to  each 
shop  with  a  CAS  terminal  and  key-up  the  machine  each  morning.  This  is  a  use  of 
manpower  that  is  created  solely  by  the  fact  that  the  CAS  is  not  trusted  as  an  MLS  system. 
Considering  CAS  a  completely  secret  system  also  puts  a  burden  on  the  users  by  restricting 
the  ability  to  move  or  add  terminals.  Many  shops  have  fewer  terminals  than  needed  or  no 
terminals  because  they  can’t  get  approval  for  classified  terminals.  This  is  an  unnecessary 
burden  since  very  few  of  the  shops  ever  need  access  to  classified  information,  since  so  few 
of  the  supply  points  have  classified  data.  Out  of  six  sample  bases,  10  of  300  supply  points 
are  classified.  This  small  percentage  of  supply  points  clearly  illustrates  the  over-kill  in 
current  terminal  configuration.  Although  only  three  percent  of  the  supply  points  include 
classified  data,  every  terminal  must  be  connected  through  encryption  devices  and 
specifically  authorized  by  communication  security  technicians.  Even  the  shops  which  have 
sufficient  terminals  are  unnecessarily  restricted  because  they  can’t  move  terminals  without 
getting  permission  and  assistance  from  communication  security  experts. 


CAS-B  transmissions  to  CAS-C  and  CAS-A 


CAS  software  has  never  been  developed  to  fully  exploit  the  capabilities  of  multi-level 
security.  Currently  all  transmissions  out  of  CAS-B  are  transmitted  as  classified  regardless 
of  the  level  of  classification  of  the  data.  This  causes  problems  in  transmissions  to  the 
higher  system  levels,  both  command  and  wholesale,  CAS-C  and  CAS-A  respectively. 
Making  every  transmission  classified  severely  limits  the  lines  available  for  transmission 
despite  the  fact  that  the  amount  of  data  which  is  actually  classified  is  very  small.  CAS 
representatives  indicated  that  for  the  number  of  classified  transmissions  required  out  of 
CAS-B  it  would  be  possible  to  have  one  day  out  of  each  month  when  data  was  transmitted 
in  classified  mode.  This  day  would  not  even  be  necessary  if  WRM  requirements  were 
removed  from  CAS-B. 

Reports 

During  development  there  was  an  intent  to  give  CAS-B  the  capability  to  print  classified  or 
unclassified  documents,  but  the  security  expert  at  the  CAS  SPO  explained  this  would  only 
be  possible  if  the  software  is  modified  to  use  logic  tables  to  determine  whether  there  is  a 
combination  of  data  which  makes  the  information  classified.  If  WRM  requirements  are 
removed  from  CAS-B,  all  documents  can  be  printed  in  an  unclassified  mode. 

USAFE  MLS  Test 

The  CAS  representative  for  USAFE  recognized  the  inefficiency  of  operating  all  terminals 
as  classified  and  proposed  a  test  to  determine  whether  it  was  possible  to  use  CAS-B  as  an 
MLS.  The  test  was  authorized  by  the  CAS  SPO  and  HQ  USAF/LGMW.  Since  the  test 
plan  was  essentially  a  repeat  of  the  1992  laboratory  test  done  during  development,  the 
CAS  security  experts  considered  the  risk  of  compromising  sensitive  data  minute. 
Consequently,  the  USAFE  test  was  conducted  in  the  summer  of  1996  with  live  data  at 
Ramstein  and  Spangdahlem  Air  Bases  in  Germany.  For  the  test,  terminals  were 
configured  to  receive  only  unclassified  data  and  the  mainframe  was  configured  to  send 
only  unclassified  data  to  those  terminals.  The  terminals  were  directly  connected  to  the 
mainframe  with  no  enciyption  devices.  At  designated  intervals,  audits  were  run  to 
determine  whether  any  classified  data  was  transmitted  or  received.  During  the  test,  there 
were  no  compromises  of  any  kind.  The  test  was  considered  successful  and  the  CAS  SPO 
is  considering  a  request  to  authorize  widespread  use  of  this  hardware  configuration  which 
makes  use  of  CAS  as  an  MLS  system. 


EVALUATION  OF  ALTERNATIVES 
Declassification  of  CAS-B 

The  first  alternative  to  current  CAS-B  operation  was  proposed  by  many  field,  MAJCOM 
and  HQ  USAF/LGMW  munitions  personnel.  Representatives  at  all  levels  proposed  that 
CAS-B  should  be  an  unclassified  system.  This  is  not  a  possible  alternative  under  current 
XO  classification  guidance,  but  will  be  possible  under  the  proposed  guidance.  Once  XO 
makes  guidance  changes  to  reflect  their  position  of  only  classifying  WRM  requirements 
the  system  can  be  declassified  if  WRM  requirements  are  not  kept  in  the  system.  In  the 
rare  case  of  classification  of  specific  data  for  individual  munitions,  the  data  can  be 
maint^ned  off-line.  The  WRM  requirements  data  in  CAS-B  is  loaded  annually  and  from 
the  War  Consumables  Distribution  Objective  (WCDO).  Once  the  requirements  are  loaded 
they  are  left  untouched  unless  there  is  a  change  to  the  WCDO.  The  units  visited  were 
under  the  impression  that  the  requirements  data  had  to  be  in  CAS-B  in  order  for 
MAJCOMs  to  use  the  data  for  requisition  and  redistribution  actions.  However, 

MAJCOMs  do  not  use  the  numbers  from  CAS-B  to  determine  course  of  requisition  and 
redistribution  actions.  The  MAJCOMs  use  the  Non-nuclear  Consumables  Annual  Analysis 
(NCAA)  and  the  Detailed  Logistics  Allocation  Report  (DLAR)  for  requisition  and 
redistribution  actions.  Furthermore,  The  Ammunition  Control  Point  (ACP)  does  not  use 
the  requirements  data  that  flows  from  C  AS-C  to  CAS-A.  Since  WRM  requirements  make 
up  a  very  small  portion  of  CAS  data  and  the  data  is  not  critical  to  the  base  level  system, 
nor  the  command  level  system,  the  data  can  be  removed.  Once  XO  makes  necessary 
changes  to  reflect  WRM  requirements  as  the  only  classified  data,  the  removal  of  WRM 
requirements  will  eliminate  the  need  for  classification. 

Implement  USAFE  Test  Configuration 

A  second  alternative  which  could  be  implemented  immediately  is  the  use  of  CAS  as  a 
MLS  as  demonstrated  in  the  USAFE  test.  Air  Staff  and  the  CAS  SPO  could  authorize  all 
unclassified  terminals  to  be  connected  directly  to  the  mainframe  without  encryption 
devices.  This  hardware  change  would  eliminate  restrictions  to  adding  or  moving  terminals 
and  would  eliminate  the  necessity  to  re-key  KG-84s  on  unclassified  terminals.  This 
alternative  would  not  cost  anything  and  could  save  the  cost  of  encryption  devices  and 
installation. 
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CHAPTER  3 


CONCLUSIONS  AND 
RECOMMENDATIONS 

CONCLUSIONS 


Current  guidance  from  XOFW,  LGMW  and  LGX  does  not  agree  concerning  which  data  is 
classified.  Once  XO  makes  the  appropriate  changes  to  reflect  that  the  only  data  they 
categorize  as  classified  is  WRM  requirements,  this  must  be  reflected  in  all  appropriate 
guidance. 

CAS-B  proved  to  be  multi-level  secure  in  both  laboratory  and  field  tests.  Testing  done  by 
the  contractor  responsible  for  CAS  security  during  initial  development,  and  by  USAFE 
during  the  summer  of  1996,  showed  no  classified  data  was  compromised  while  operating 
the  system  as  a  multi-level  secure  system. 

MAJCOMs  do  not  use  the  WRM  requirements  data  sent  forward  from  CAS-B.  The  users 
at  CAS-B  do  not  use  it  either,  it  is  dormant  unless  a  change  is  made  to  the  WCDO.  It 
does  not  make  sense  to  include  this  data,  especially  if  it  is  the  driving  force  behind 
classification  of  the  system.  If  WRM  requirements  are  removed  from  CAS-B,  the  entire 
system  can  be  operated  in  an  unclassified  mode. 

Since  there  is  no  need  to  maintain  the  classification  of  CAS-B  it  makes  sense  that  its 
functionality  is  projected  to  be  subsumed  by  the  Integrated  Maintenance  Data  System 
(IMDS).  Resolving  this  issue  now  will  relieve  IMDS  developers  of  the  burden  of 
developing  a  classified  system  to  accommodate  CAS-B  classification  requirements. 

RECOMMENDATIONS 


1.  As  soon  as  HQ  USAF/XOFW  makes  appropriate  changes  to  guidance,  reflecting  that 
only  WRM  requirements  are  classified,  remove  WRM  requirements  from  CAS-B  and  use 
it  as  an  unclassified  system.  (OPR:  HQ  USAF/XOFW,  HQ  USAF/LGMW) 

2.  Until  guidance  changes,  immediately  authorize  use  of  CAS-B  as  an  MLS,  by  approving 
direct  connection  between  the  mainframe  and  unclassified  terminals  as  demonstrated  in  the 
USAFE  test.  (OPR;  CAS  SPO,  HQ  USAF/LGMW). 

3.  Reconcile  guidance  to  reflect  one  standard  for  munitions  classification  through  a 
meeting  of  all  key  players,  including  HQ  USAF/LGMW,  HQ  USAF/XOFW,  HQ 
USAF/LGX,  APGM,  WR-ALC/LKG  and  the  CAS  SPO.  (OPR:  HQ  USAF/LGMW). 

DISTRIBUTION:  Refer  to  attached  Standard  Form  298. 


9 


APPENDIX  A 


BIBLIOGRAPHY 

1.  “Air  Force  Instruction  25-101  War  Reserve  Materiel  (WRM)  Program  Guidance  and  Procedures,” 
OPR:  HQUSAF/LGXX,  1  May  1996. 

2.  “Executive  Order  12958-  Classified  National  Security  Information,”  OPR:  The  President,  17  April 
1995. 

3.  “Information  Security  Oversight  Office;  Classified  National  Security  Information;  Final  Rule,”  OPR: 
Office  of  Management  and  Budget,  13  October  1995. 

4.  “Munitions  Classification  Meeting  Minutes,”  OPR:  AFMC/DRW,  18  September  1996. 

5.  “Trip  Report  for  Davis  Monthan  AFB  and  Luke  AFB”,  OPR:  AFLMA/LGM,  4  April  1996. 

6.  “USAF  Munitions  Security  Classification  Guide,”  OPR:  HQ  USAF/LGMW,  1  June  1991 

7.  “USAF  Munitions  Classification  Guide  Draft  Working  Paper,”  OPR:  Combat  Ammunition  System 
Program  Office,  3  Sep  96  . 


10 


